Firefox, Internet Explorer team together for critical vulnerability

As if having IE7.com point to a Firefox advertisement wasn't strange enough, …

A strange but critical vulnerability has been discovered within Firefox that could allow a malicious website access to create user profiles, install Global Extensions, and set several options within the popular browser. In Firefox 2.0.0.2 and above, a "firefoxurl" Universal Resource Identifier (URI) is registered in the Windows Registry by the browser's installer.

While some experts believe that Firefox should have used dynamic data exchange rather than registering a URI to pass information, the actual vulnerability occurs when Firefox.exe is executed from Internet Explorer.

Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

Thor Larholm, the researcher who discovered the flaw, insists that the blame falls on the back of Internet Explorer. "Firefox is the current attack vector but Internet Explorer is to blame for not escaping quote characters when passing on the input to the command line." He also notes that Internet Explorer behaves similarly with other handlers. "Internet Explorer doesn’t filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts."

The director of Symantec's Security Response Center, Oliver Friedrichs, believes that both browsers should share the heat. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

No matter which company ends up fixing the problem, right now users should avoid clicking suspicious links (which should be done anyway) and system administrators can opt to disable the "firefoxurl" URI handler.